[xmlsec] signature verification failures using NSS with FIPS
Roumen Petrov
xmlsec at roumenpetrov.info
Sat Jan 2 09:34:31 PST 2016
Hello,
I would like to continue discussion.
Aleksey please find my comments below.
Lara Blatchford wrote:
> We are using mod_nss 1.0.8, this appears to indicate that the bug being described
> was addressed in mod_nss 1.0.3
>
> Thanks,
> Lara
>
> -----Original Message-----
> From: Aleksey Sanin [mailto:aleksey at aleksey.com]
> Sent: Thursday, June 25, 2015 12:55 PM
> To: Lara Blatchford; xmlsec at aleksey.com
> Subject: Re: [xmlsec] signature verification failures using NSS with FIPS
>
>
> https://www.google.com/search?q=nss+certificate+verification+fails+fips+mode&ie=UTF-8#q=nss+certificate++failed+fips+
>
> The first link.
I don't think that result from internet queries could help .
The main issue is that NSS module is in FIPS mode .
I'm not sure that pages like
"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FIPS_Mode_-_an_explanation"
could explain difference .
It seems to me when module is in FIPS mode user should authenticate to
it on each operation. In particular verify operation also requires user
to enter password.
xmlsec should use PK11_SetPasswordFunc to register password callback.
It seems to me NSS test database is not protected by "master"-password
and so test operations pass in non-FIPS.
> Aleksey
>
[SNIP]
Regards
Roumen Petrov
More information about the xmlsec
mailing list